GCP Private Service Connect(PSC): Service Consumption
In the previous section of the blog, we explored about Private Service Connect, including its internal architecture, as well as the process of publishing a managed service using Private Service Connect
In this section, we will continue exploration with the following topics:
- Accessing Private Service Connect(PSC) Published Service
- Different Private Service Connect Topologies
- Security aspects of Private Service Connect
- Key Monitoring Metrics for Private Service Connect (PSC)
Accessing Private Service Connect Published Service
In the last section, we covered the procedure for publishing managed PostgresDB service with Private Service Connect.
Now, in this section, we will explore a straightforward and simple method for accessing the above published service using PSC endpoint.
These exact steps can be applied in a different project to achieve the identical results.
However, in this section, we’ll be creating the endpoint in the same project but within a different VPC referred to as “vpc-gcp.”
- Internal IP address reservation for Endpoint
gcloud compute addresses create pgsql-psc-endpoint-ip-01 \
--region asia-south1 --subnet asia-sth1-subnet-01 \
--addresses 10.101.0.3 --project=rich-principle-394408Make sure to replace the target VPC “subnet” and respective attributes in above gcloud command.
2. PSC Endpoint creation
gcloud compute forwarding-rules create pgsql-psc-endpoint-01 \
--region asia-south1 --network vpc-gcp \
--address pgsql-psc-endpoint-ip-01 \
--target-service-attachment \
projects/rich-principle-394408/regions/asia-south1/serviceAttachments/pgsql-attchmnt \
--project=rich-principle-394408In the above command projects/rich-principle-394408/regions/asia-south1/serviceAttachments/pgsql-attchmnt is the Service attachment URI.
3. Accessing the above PSC Endpoint
Now, lets’ test the end-to-end PSC flow. By utilizing the provided Endpoint IP address (10.100.0.3), we should be able to connect to the PostgreSQL database hosted in a different network, which has been published using PSC.
Coool… As seen above we were successfully able to access the DB using PSC endpoint via PSC network connectivity flow 🙌
Lets now cover the other important aspect of the PSC 🙂
Different Private Service Connect Topologies
Private Service Connect provides adaptable service deployment choices, including some of the following options:
- Single-Tenant: In this case, Services are dedicated to one consumer or tenant. They’re isolated in a separate VPC network, unique to that tenant. While access is exclusive to one tenant, they can establish multiple endpoints for different VPC networks. An accept list controls who can connect, ensuring exclusive access.
- Multi-Tenant: Here, the service can be accessed by multiple consumers or tenants. However, on the publisher(producer) side, the consumer accept list is set up to allow connections from various projects. This list helps manage PSC connections per project, preventing quota exhaustion. In case to track the traffic’s source, the service publisher/producer can enable the PROXY protocol.
- Reverse Private Connectivity: It occurs when managed services, instead of consumers, initiate connections to consumer-owned services.
Here, consumers enable this by deploying Private Service Connect in reverse.
This involves setting up an internal load balancer and service attachment in consumer VPC, effectively sharing their service with producers.
Both parties then uses Private Service Connect in both forward and reverse directions, establishing bidirectional connectivity.
- Hybrid: Private Service Connect extends beyond Google Cloud, encompassing hybrid and multi-cloud environments. Hybrid services are accessible via hybrid NEGs, compatible with supported load balancers. This deployment enables producers to connect with consumer hybrid networks without establishing direct connections to those networks.
This guide showcases setting up a regional internal proxy Network Load Balancer with hybrid connectivity.
Security aspects of Private Service Connect
Private Service Connect offers a range of options for managing access to its resources. These options cover various aspects, including determining who can deploy Private Service Connect resources, controlling connections between consumers and producers VPC projects, and specifying the network traffic that is permitted to access these connections.
These controls can be achieved through the following elements:
- GCP IAM permissions: It specifies which IAM principals have the authorization to deploy Private Service Connect resources, including endpoints, service attachments and backends.
An IAM principal can be any of the following: a Google Account, a service account, a Google group, a Google Workspace account, or a Cloud Identity domain account that has the permissions to access a particular resource. - Organisation policies: It enables us to broadly control over which projects can connect to VPC networks or organisations by using PSC.
Producer(publisher)-side organization policies: With compute.restrictPrivateServiceConnectConsumer policy, we can control which endpoints can connect to Private Service Connect service attachments within a publisher(producer) organization or project.
This control mechanism is similar with accept and reject lists. However, the organization policies have a broader scope, applying to all service attachments within a project or organization, as opposed to individual service attachments.
Consumer-side organization policies:
i. With compute.restrictPrivateServiceConnectProducer policy control which service attachments endpoints and backends can connect to based on the producer organization.
ii.With compute.disablePrivateServiceConnectCreationForConsumers policy control the deployment of endpoints based on the endpoint’s connection type. We can block the deployment of endpoints that connect to Google APIs, or to published services respectively. - PSC Accept and Reject List: Consumer accept and Consumer reject lists are security features within Service attachments. These lists enables service providers to precisely define which consumer VPC networks or projects can establish Private Service Connect connections to their services.
Moreover, consumer accept lists also come with connection limits, allowing the setting of maximum number of connections a service attachment can accept from the designated consumer project or VPC network.
It’s important to note that consumer accept lists and consumer reject lists enable us to specify either projects or VPC networks but not both simultaneously.
When updates are made to a consumer accept or reject list, the impact on existing connections depends on whether connection reconciliation is enabled.
- VPC Firewall rule: Network-level access to Private Service Connect resources can be controlled using VCP Firewall rules.
For example, consider the following firewall rules.
It denies the egress traffic from vm-2 to PSC endpoint subnet.
gcloud compute firewall-rules create deny-all \
--network=vpc-1 \
--direction=egress \
--action=deny \
--destination-ranges=10.33.0.0/24
--priority=1000While the below, allows egress traffic from “allow-psc” tagged VM(vm-1) to endpoint subnet.
gcloud compute firewall-rules create allow-psc \
--network=vpc-1 \
--direction=egress \
--action=allow \
--target-tags=allow-psc \
--destination-ranges=10.33.0.0/24
--priority=100
Key Monitoring Metrics for Private Service Connect (PSC)
Here are some key metrics associated with PSC resources that can offer valuable insights into PSC connections.
Publisher service attachment metrics
- Connected consumer forwarding rules: The count of consumer PSC endpoint forwarding rules linked to a PSC attachment.
- Used NAT IP addresses: The number of PSC subnet NAT IP addresses utilized by the consumer forwarding rules.
- Sent Byte & Sent Packets dropped count: Network bytes and packets sent over the PSC attachment that were dropped.
- Received Byte & Received Packets dropped count: Network bytes and packets received over the PSC attachment that were dropped.
- Open & Close connections over service attachment: The number of connections that were initiated and terminated over the PSC attachment during a specified timeframe.
Consumer Endpoint metrics
- Sent Byte & Sent Packets dropped count: Network bytes and packets sent over the PSC endpoint connection ID that were dropped.
- Received Byte & Received Packets dropped count: Network bytes and packets received over the PSC endpoint connection ID that were dropped.
- Open & Close connections over service attachment: The number of connections that were initiated and terminated over thePSC endpoint connection ID during a specified timeframe.
Conclusion
Private Service Connect offers a powerful solution for organizations aiming to establish a secure and efficient service-centric network.
It enables seamless, private connections for end applications, eliminating the need for the complex management of VPC peering or VPN setups between networks.
By routing all traffic through Google’s reliable backbone, organizations can easily meet compliance and security requirements.
Furthermore, Private Service Connect introduces a service publisher and consumer model, creating a service-oriented environment that streamlines connectivity and enhances overall network efficiency.
Adopting Private Service Connect isn’t solely about enhancing connectivity; it’s a journey towards elevating an organisation’s networking capabilities to unprecedented levels.
